The U.S. Department of Homeland Security (DHS), working with federal and international law enforcement agencies, announced last week that it has dismantled critical infrastructure used by the BlackSuit ransomware group. BlackSuit, the successor to Royal ransomware, has been linked to attacks on essential services worldwide. The operation led to the seizure of servers, domains, and digital assets used to deliver ransomware, extort victims, and launder illicit proceeds.
Executed by Immigration and Customs Enforcement’s Homeland Security Investigations, the takedown follows a series of attacks since 2022 in which the Royal and BlackSuit ransomware groups compromised more than 450 known U.S. victims, including organizations in healthcare, education, public safety, energy, and government. Combined, the groups have received more than US$370 million in ransom payments, based on present-day valuations of cryptocurrency.
These ransomware groups used double-extortion tactics, encrypting victims’ systems while threatening to leak stolen data to pressure them into paying.
“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” Michael Prado, deputy assistant director at the HSI Cyber Crimes Center, identified. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”
“This investigation reflects the full reach of HSI’s cyber mission and our commitment to protecting victims — whether they’re small businesses, school systems, or hospitals,” said Christopher Heck, HSI Washington, D.C. acting Special Agent in Charge. “We will continue to target the infrastructure, finances and operators behind these ransomware groups to ensure they have nowhere left to hide.”
The investigation was supported by HSI’s Cyber Crimes Center, IRS Criminal Investigation’s Cyber Crimes Unit, the FBI, Europol, and international law enforcement partners, including the United Kingdom’s National Crime Agency and Northwest Regional Organized Crime Unit, Germany’s Landeskriminalamt Niedersachsen, Ireland’s Garda National Cyber Crime Bureau, Ukraine’s Cyberpolice Department, Lithuania’s Criminal Police Bureau, France’s Office Anti-Cybercriminalité, and Canada’s Royal Canadian Mounted Police and Delta Police Department. The coordinated takedown, carried out under Operation Checkmate, was part of a Europol Joint Cyber Action Task Force initiative targeting the Royal and BlackSuit ransomware groups.
The takedown comes as the case is being prosecuted by the U.S. Attorney’s Office for the Eastern District of Virginia, which continues to collaborate with international partners to pursue legal accountability for those involved in the Royal and BlackSuit campaigns. The Department of Justice National Security Division’s National Security Cyber Section, the U.S. Attorney’s Office for the District of Columbia, the Justice Department’s Office of International Affairs, HSI The Hague, HSI Frankfurt, HSI London, HSI Bucharest, and HSI San Diego also assisted in this investigation.
Last year, global law enforcement agencies, including Europol, the Federal Bureau of Investigation (FBI), and the U.K.’s National Crime Agency, dismantled a dark web site linked to the LockBit ransomware group. The takedown, known as Operation Cronos, was part of an ongoing international push to disrupt major cybercrime operations.
Earlier in 2023, Europol and multiple international law enforcement partners carried out a major operation against the Ragnar Locker ransomware group, resulting in the arrest of its lead developer in Paris and coordinated actions in Czechia, Spain, and Latvia. Authorities also dismantled the group’s infrastructure in the Netherlands, Germany, and Sweden, and shut down its Tor-based data leak site following an extensive multi-country investigation.
